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QUESTION 81 

Which two identifiers are used by a Cisco Easy VPN Server to reference the correct group policy 
information for connecting a Cisco Easy VPN Client? (Choose two.) 

A. IKE ID_KEY_ID 

B. OU field in a certificate that is presented by a client 

C. XAUTH username 

D. hash of the OTP that is sent during XAUTH challenge/response 

E. IKE ID_IPV4_ADDR 

Answer: AB 
QUESTION 82 

Which multicast routing mechanism is optimal to support many-to-many multicast applications? 

A. PIM-SM 

B. MOSPF 

C. DVMRP 

D. BIDIR-PIM 

E. MSDP 

Answer: D 
QUESTION 83 

Which three statements regarding VLANs are true? (Choose three.) 

A. To create a new VLAN on a Cisco Catalyst switch, the VLAN name, VLAN ID and VLAN type must 
all be specifically configured by the administrator. 

B. A VLAN is a broadcast domain. 

C. Each VLAN must have an SVI configured on the Cisco Catalyst switch for it to be operational. 

D. The native VLAN is used for untagged traffic on an 802.1 Q trunk. 

E. VLANs can be connected across wide-area networks. 

Answer: BDE 
QUESTION 84 

Which technology, configured on the Cisco ASA, allows Active Directory authentication credentials 
to be applied automatically to web forms that require authentication for clientless SSL 
connections? 

A. one-time passwords 

B. certificate authentication 

C. user credentials obtained during authentication 

D. Kerberos authentication 

Answer: C 
QUESTION 85 

In what subnet does address 192.168.23.197/27 reside? 
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A. 192.168.23.0 

B. 192.168.23.128 

C. 192.168.23.160 

D. 192.168.23.192 

E. 192.168.23.196 
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Answer: D 



QUESTION 86 

Given the IPv4 address 10.10.100.16, which two addresses are valid IPv4-compatible IPv6 
addresses? (Choose two.) 



A. :::A:A:64:10 

B. ::10:10:100:16 

C. 0:0:0:0:0:10:10:100:16 

D. 0:0:10:10:100:16:0:0:0 



Answer: BC 



QUESTION 87 

Refer to the exhibit. Which three fields of the IP header labeled can be used in a spoofing attack? 
(Choose one.) 
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A. 6, 7, 11 

B. 6,11,12 

C. 3, 11, 12 
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D. 4, 7, 11 



Answer: A 



QUESTION 88 

What is the size of a point-to-point GRE header, and what is the protocol number at the IP layer? 

A. 8 bytes, and protocol number 74 

B. 4 bytes, and protocol number 47 

C. 2 bytes, and protocol number 71 

D. 24 bytes, and protocol number 1 

E. 8 bytes, and protocol number 47 



QUESTION 89 

When implementing WLAN security, what are three benefits of using the TKIP instead of WEP? 
(Choose three.) 

A. TKIP uses an advanced encryption scheme based on AES. 

B. TKIP provides authentication and integrity checking using CBC-MAC. 

C. TKIP provides per-packet keying and a rekeying mechanism. 

D. TKIP provides message integrity check. 

E. TKIP reduces WEP vulnerabilities by using a different hardware encryption chipset. 

F. TKIP uses a 48-bit initialization vector. 

Answer: CDF 
QUESTION 90 

Which two statements about SHA are correct? (Choose two.) 

A. Five 32-bit variables are applied to the message to produce the 160-bit hash. 

B. The message is split into 64-bit blocks for processing. 

C. The message is split into 512-bit blocks for processing. 

D. SHA-2 and MD5 both consist of four rounds of processing. 

Answer: AC 
QUESTION 91 

Which three statements about IKEv2 are correct? (Choose three.) 

A. INITIAL_CONTACT is used to synchronize state between peers. 

B. The IKEv2 standard defines a method for fragmenting large messages. 

C. The initial exchanges of IKEv2 consist of IKE_SA_INIT and IKE_AUTH. 

D. Rekeying IKE and child SAs is facilitated by the IKEv2 CREATE_CHILD_SA exchange. 

E. NAT-T is not supported. 

F. Attribute policy push (via the configuration payload) is only supported in REQUEST/REPLY mode. 
Answer: ACD 



Answer: B 
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QUESTION 92 

Which three statements about LDAP are true? (Choose three.) 

A. LDAP uses UDP port 389 by default. 

B. LDAP is defined in terms of ASN.1 and transmitted using BER. 

C. LDAP is used for accessing X.500 directory services. 

D. An LDAP directory entry is uniquely identified by its DN. 

E. A secure connection via TLS is established via the UseTLS operation. 

Answer: BCD 
QUESTION 93 

Which two EAP methods may be susceptible to offline dictionary attacks? (Choose two.) 

A. EAP-MD5 

B. LEAP 

C. PEAP with MS-CHAPv2 

D. EAP-FAST 

Answer: AB 
QUESTION 94 

Which PKCS is invoked during IKE MM5 and MM6 when digital certificates are used as the 
authentication method? 

A. PKCS#7 

B. PKCS#10 

C. PKCS#13 

D. PKCS#11 

E. PKCS#3 



QUESTION 95 

Which mode of operation must be enabled on CSM to support roles such as Network 
Administrator, Approver, Network Operator, and Help Desk? 

A. Deployment Mode 

B. Activity Mode 

C. Workflow Mode 

D. User Roles Mode 

E. Administration Mode 

F. Network Mode 



QUESTION 96 

Which two ISE Probes would be required to distinguish accurately the difference between an iPad 
and a MacBook Pro? (Choose two.) 



Answer: A 



Answer: C 
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A. DHCP or DHCPSPAN 

B. SNMPTRAP 

C. SNMPQUERY 

D. NESSUS 

E. HTTP 

F. DHCP TRAP 

Answer: AE 
QUESTION 97 

Which configuration option will correctly process network authentication and authorization using 
both 802.1 X and MAB on a single port? 

A. interface FastEthernetl/0/9 
switchport access vlan 200 
switchport mode access 
switchport voice vlan 40 
ip access-group ACL-DEFAULT in 
authentication event fail action next -method 
authentication event server dead action authorize vlan 200 
authentication event server alive action reinitialize f\ \ \\ 



authentication priority dotlx mab 
authentication port -control auto 
authentication violation restrict 
mab 

dotlx pae authenticator 
dotlx timeout tx- period 10 
spanning-tree portfast 

ip dhcp snooping information option allow-untrusted 
end 



authentication host-mode multi-domair 
authentication open 
authentication order mat* dotlx 
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interface FastEthernetl/0/9 
switchport access vlan 200 
switchport mode access 
switchport voice vlan 40 
ip access-group ACL-DEFAULT in 
authentication event fail action next-method 
authentication event server dead action authorize vlan 200 
authentication event server alive action reinitialize 
authentication host-mode multi-domain 




authentication open 
authentication order mab cfotlx 
authentication priority dotlx mab 
authentication violation restrict 

dotlx pae authenticator 
dotlx timeout tx-period 10 
spanning- tree portfast 

ip dhcp snooping information option allow-untrusted 
end 

interface FastEthernetl/0/9 
switchport access vlan 200 
switchport mode access 
switchport voice vlan 40 
ip access-group ACL-DEFAULT in 
authentication event fail action next-method 
authentication event server dead action authorize vlan 20© 
authentication event server alive action reinitialize 
authentication host-mode multi-domata f^c 
authentication open^r^ r«^\^\S^)^^^ 
authentication order mab dotljx^L^ 
authentication priority dotlx mab 
authentication violation restrict 
mab ^V_^ 

dotlx pae authenticator 
dotlx timeout tx-period 10 
spanning-tree portfast 

ip dhcp snooping information option allow-untrusted 
end 
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D. interface FastEthernetl/0/9 
switchport access vlan 200 
switchport mode access 
switchport voice vlan 40 
ip access-group ACL-DEFAULT in 
authentication event fail action next-method 
authentication event server dead action authorize vlan Z00 
authentication event server alive action reinitialize 
authentication host-mode multi-domain,^^ (GLv 
authentication oaen 
authentication order mat> dotlx 
authentication priority dotlx mab 
authentication port-control force- unauthorized 
authentication violation restrict 
mab 

dotlx pae authenticate r 
dotlx timeout tx- period 10 
spanning-tree portfast 

ip dhep snooping information option allow-untrusted 
end 



Answer: B 



QUESTION 98 

Which statement regarding the routing functions of the Cisco ASA is true? 

A. The translation table can override the routing table for new connections. 

B. The ASA supports policy-based routing with route maps?. 

C. In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF neighbors. 

D. Routes to the NullO interface can be configured to black-hole traffic. 



Answer: A 



QUESTION 99 

Which three statements are true about the Cisco ASA object configuration below? (Choose three.) 

object network vpnclients 

range 10.1.100.4 10.1.100.10 

object network vpnclients 

nat (outside, outside) dynamic interface 



A. The NAT configuration in the object specifies a PAT rule? 

B. This configuration requires the command same-security-traffic inter-interface for traffic that matches 
this NAT rule to pass through the Cisco ASA appliance. 

C. The NAT rule of this object will be placed in Section 1 (Auto-NAT) of the Cisco ASA NAT table? 

D. This configuration is most likely used to provide Internet access to connected VPN clients. 

E. Addresses in the range will be assigned during config-mode. 

Answer: ACD 
QUESTION 100 

Which three attributes may be configured as part of the Common Tasks panel of an authorization 
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profile in the Cisco ISE solution? (Choose three.) 

A. VLAN 

B. voice VLAN 

C. dACL name 

D. voice domain permission 

E. SGT 

Answer: ACD 
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